Squid issues



  • Hi all,

    I tried to install Squid + Dansguardian last night and utterly failed. Everything seemed to install correctly from the packages, but the tutorials that I've seen said to put the proxy server on the loopback interface. This does not appear to work.

    I only see messages in the /var/Squid/logs/access.log and only see proxy server detected on whatismyipaddress.com/proxy-check when I have an interface selected such as LAN. And then it is only devices on that interface that go through the proxy. That part makes sense, but why isn't the loopback working?

    And because loopback isn't working then Dansguardian will obviously have issues running. I installed the latest Squid 2 via the packages and the latest Dansguardian package.

    Thanks in advance for any help!



  • Squid should run fine on the loopback interface. How are you determining that it is not running and that configuring it to run on the loopback is the issue?



  • @rjcrowder:

    Squid should run fine on the loopback interface. How are you determining that it is not running and that configuring it to run on the loopback is the issue?

    I too have never got it to work on the loopback. It will work if I unselect loopback and point to the gateway NICs for the respective subnets. I have 5 subnets and each network has its own gateway.. like 10.1.1.1, 10.2.1.1, 10.3.1.1….



  • Pretty sure mine is working on the loopback… I will double check tonight and post some screenshots if it is.



  • If I go to this web address whatismyipaddress.com/proxy-check and because I haven't selected the option in pfSense to remove the proxy information in the header it should detect that the proxy is working.

    I got everything working. I want to post my solution for anyone else that may have similar issues.

    I was trying to do squid + dansguardian. I had to select LAN for both Squid and Dansguardian. Then, in Dansguardian I put in the IP of my router for the proxy server address.

    Then anything on the LAN network will go through the proxy regardless of whether it goes through Dansguardian as well.

    The magic get traffic from a network to go through Dansguardian is the NAT (port forwarding) rules.

    For each network you want to go through Dansguardian you do the following:

    For the LAN:

    Interface: LAN
    Proto: TCP/UDP (this might be able to be any)
    Source: LAN subnet (again, this can probably be any)
    Src Ports: any
    Dest: any
    Dst Ports: 80
    Redirect IP: Router IP
    Redirect Port: 8080

    For an OPT interface, let's call it TEST:

    Interface: TEST
    Proto: TCP/UDP (this might be able to be any)
    Source: TEST subnet (again, this can probably be any)
    Src Ports: any
    Dest: any
    Dst Ports: 80
    Redirect IP: Router IP
    Redirect Port: 8080

    Now after creating these rules in the NAT, they will also create firewall rules on the respective interfaces. If you have blocked traffic from your optional interfaces such as TEST to your LAN network, you need to move this newly created NAT firewall rule ABOVE any explicit blocks. If blocking is implicit (meaning the allow rules you have don't allow access and therefore everything else is blocked) then you shouldn't need to move it.

    That's it! Now when I navigate to the URL noted above it sees that a proxy is detected based on the header test which is what I expect.

    I assume, have not tested that I if I didn't want TEST to go through Dansguardian, but only through the proxy, that I would just disable the NAT rule for the TEST interface and combo select the TEST network with LAN on the proxy server set up page.

    Have no idea why loopback won't work.

    Thanks!



  • When you bind squid to real interface, pfSense creates a hidden redirect rule like:

    rdr on em1 inet proto tcp from any to ! (em1) port = http -> 127.0.0.1 port 3128

    where em1 is the interface squid is binded to.

    So every packet with destination port=HTTP coming in on the interface will be forwarded to squid. This is ideal scenario for squid in transparent mode.

    When you bind squid to loopback, pfSense also creates a hidden redirect rule:

    rdr on lo0 inet proto tcp from any to ! (lo0) port = http -> 127.0.0.1 port 3128

    which seems doesn't make any sense. Squid in transparent mode won't work with it, but squid in explicit mode will.



  • I am using transparent mode hence could never get the loopback to work. Never tried it in standard mode as I have too many devices in the network and not all are configurable.. like TVs, Blu-Ray Players.. etc.


Log in to reply